qakbot | 1781baade35306801b764ca5c0e8c1e2bcf8323fe56ac469520ba9e29b13374a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

resource	yara_rule
behavioral2/memory/4832-1-0x000001F5195C0000-0x000001F5195EF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4832-3-0x000001F519590000-0x000001F5195BD000-memory.dmp	family_qakbot_v5
behavioral2/memory/4832-6-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4832-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-9-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-15-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4832-25-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-26-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-27-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-28-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-29-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-30-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1144-32-0x000002668C210000-0x000002668C23E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\892d8017 = 673f68057ef676ccc5fc2d5a50cf91d461c4f336c426408e61edccc3db42fdf12a4eb8ca911cd2e7ac5074d1094f832e139163b225f4ad27286dfb8c3b9aa96e3b74349e69331d0c5b18d2830cdfea135ba1cca9c1e7a6b770fe289ac7d2bf34b5d90683d55b4ad02ba550490735668d2bca3295b8bba49fba2a6e8654f9615570	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\9d20cfa2 = c5b3db39f0625279290a7731b4fd72146b45cde5228a6d12c51c081911366187ee48de1e8a2b6285771bd3927e3ddbe420d0d8325adbce0c5184bcd6f8a1d0ccc68af178d9f54a800019035b874193ecc16988d30f413fed190d2ee26eb1ab36e8de7ff5d180927e7d1219aecc356ae062	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\96629b3c = 64787e05f1fd289e618cf112e211753ddfd9b58facd64da48f1bf94a8d43c6b6a1aa7e300845441bfa651101536e5e7a16a25baaa5461dbdebfcbaba3f9de4968fbb71b6ba48de83d2eab5a8c6b3ae169a30b71813d9e8a545c700f5c68e8d3b96c9825625a5150f3a1eb7dc77f89254cf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\5ac89ba2 = e7315377015887b40eb20f1189246e37543dca6d8c74a4481d5b3d12056dac04f0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\ce0d36a = 24f94617e4019a84105db806c573304801f29973ac36658adb9d7112afa244ccbebce1c2b4e4ddbf8c6327e47eb5af42adc852e4218486b31f53df014644b6ef775006951e7fbec3274318c9c71dd55940423dfd4760cfa6b9e18768e474913d9f52285c95d1d7ec71eac284eb90c78772578ce67fba00ae6eb6f52d524beb77c1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\d678eed = 045ff6ca5caec79f80ef7374d3d3187dbb480df40a923d0b9fb220b7b1aec41ef81c6ff062f8127a54cbc0ca28441fea94ec99d04e7f3217083a49f2729e9b4e06	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\45878089 = 05d882d554df9800e62de608a63cb4cd9876c1f9cd5a40af8d33bfbb57b5b93f33b6ecbd806c02b796fb08da7737ded09f1bf1b11ede670eb843f7bd327028b4a3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\327ee53c = 25a78e56abdfd47406fa4674dac7583b55125eb16fde4dd4dc8a21474b0284cd1654ec06565148abd5bfb0b12463bdfa989ba87c8c83498d06da3094e048957e31	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\97e5c6bb = 86c3935ef4d0dc76ff3af458d7f724a42ae96ec058c92f9c5b9b72919a567b89f289fd14aea241e1b386de6d4ca37fc417b1d21ed5d71a002a14cac37c1160dcde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\d678eed = c6376af09828b5f069b21c0b0ccf578f125f648189198389fc6fb45fa093262c58	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\gyloruaeokwoixo\5b4fc625 = 85d2bf33a312c8f8fdccca5949acc283b1f80bd2e8fb365b5b92369e4c3ee6c76d6cb19212a1cc7517abaee67889929882028102259df5cedbaa547129295967fc3ce21ed7bd005b741a3ab3ff4c4bf6c5792bf7923291a594d5c60c4a0e99389228ddeab90d9b0d690857381f7633b5cc8adc28445306dabcfb6ba4be829aedd82b3cc90df156af3fd612ef812d7b7c8cd7e0d269e0c788676b57de5c3f022d8fdbdef2206282df18af6bf9144a559c167c0b39c6e3d2b5257045c7ce6a1df569	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4832	rundll32.exe
4832	rundll32.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe
1144	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1144	4832	rundll32.exe	84
PID 4832 wrote to memory of 1144	4832	rundll32.exe	84
PID 4832 wrote to memory of 1144	4832	rundll32.exe	84
PID 4832 wrote to memory of 1144	4832	rundll32.exe	84
PID 4832 wrote to memory of 1144	4832	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-26-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-27-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-32-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-30-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-15-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-8-0x000002668C240000-0x000002668C242000-memory.dmp

Filesize
8KB

Download
memory/1144-29-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-28-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/1144-9-0x000002668C210000-0x000002668C23E000-memory.dmp

Filesize
184KB

Download
memory/4832-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4832-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/4832-25-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4832-1-0x000001F5195C0000-0x000001F5195EF000-memory.dmp

Filesize
188KB

Download
memory/4832-6-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4832-3-0x000001F519590000-0x000001F5195BD000-memory.dmp

Filesize
180KB

Download